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CLAIMS 

What is claimed as new and desired to be protected by Letters Patent of the United 
States is: 

1 1 . An internet service provider (ISP) VPN network comprising: 

2 a plurality of edge routers; 

3 a plurality of core routers adapted to allow communication between said 

4 plurality of edge routers; 

5 a VPN application in communication with a first one of said plurality of edge 

6 routers, said VPN application having a first IP address; and 

7 a black-hole router in communication with said core routers, said black-hole 

8 router adapted to inject a second IP address into said ISP VPN network, said second IP 

9 address comprising: 

10 the same address as the first IP address; 

1 1 a higher preference value than said first IP address; and 

12 a community value such that when said second IP address is injected, a 

13 selected first number of edge routers direct VPN traffic addressed for said first IP address to 

14 said VPN application and a selected second number of edge routers direct VPN traffic 

15 addressed for said first IP address to said black hole router. 

1 2. The ISP network of claim 1 , wherein said ISP system is a Multiprotocol Label 

2 Switching Virtual Private Network (MLS VPN) ISP. 
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1 3. The ISP network of claim 1 , wherein said black-hole router injects said second 

2 IP address in response to a Distributed Denial of Service (DDoS) attack on said VPN 

3 application. 

1 4. The ISP network of claim 1, wherein said community value can be changed in 

2 real-time by said black-hole router. 

1 5. The ISP network of claim 1, wherein said ISP network utilizes dynamic 

2 routing protocols in combination with community-based route filtering to propagate the 

3 injected second IP address to said edge routers. 

1 6. The ISP network of claim 1 wherein when said second number of edge routers 



2 directs VPN traffic, addressed for said first IP address, to said black hole router, said black 

3 hole router is adapted to receive such traffic as black-holed-traffic, said black-hole router 

4 adapted to analyze said black-holed traffic in order to determine a ratio of attack traffic to 

5 legitimate traffic. 



1 7. The ISP network of claim 1, further comprising at least one route reflector, 

2 each one of said route reflectors being connected to a different set of edge routers from said 

3 plurality of edge routers, said route reflectors being adapted to update said edge routers with 

4 route instructions, such route instructions including said injected second address. 
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1 8. An ISP network comprising: 

2 a plurality of edge routers; 

3 an application in direct or indirect electrical communication with a first one of 

4 said plurality of edge routers; 

5 said application having a first IP address such that VPN traffic addressed for 

6 said first IP address and entering said ISP network at any one of said plurality of edge routers, 

7 is routed to said application; 

8 a black-hole router; 

9 a router adapted to inject an instruction into said ISP network, such that select 



10 edge router(s) redirect VPN traffic, which is addressed to said first IP address, to said black- 

1 1 hole router. 



1 9. The ISP network of claim 8, wherein said injected instruction comprises a 

2 routing instruction having the same IP address as said first IP address, but with a higher 

3 preference than said first IP address and having a community value. 

1 10. The ISP network of claim 8, wherein said ISP network is a MLS VPN ISP 

2 network. 

1 11. The ISP network of claim 8, wherein said router and said black-hole router are 

2 the same device. 
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12. The ISP network of claim 8, wherein said injected instruction is a Border 
Gateway Protocol (BGP) routing instruction. 

13. The ISP network of claim 8, wherein said black-hole router is adapted to 
receive redirected traffic from said select edge router(s) and to determine a ratio of attack 
VPN traffic to legitimate VPN traffic found in said redirected traffic. 

14. The ISP network of claim 8, wherein said router injects said instruction when 
said application is experiencing a DDoS attack. 
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1 15. A method of managing a DDoS attack on an application within an ISP, said 

2 application having a first IP address, said method comprising: 

3 injecting a BGP routing instruction into said ISP when said DDoS attack is 

4 occurring; 

5 redirecting, at selected edge routers, VPN traffic addressed for said first IP 

6 address to a black-hole router; 

7 directing, at other edge routers, VPN traffic addressed for said first IP address 

8 to said application that is experiencing said DDoS attack. 

1 16. The method of claim 15, wherein said ISP network is a MPLS VPN ISP 

2 network. 

1 17. The method of claim 1 5, further comprising: 

2 receiving, at said black-hole router, said redirected VPN traffic; and 

3 determining an amount of attack traffic therein. 

1 18. The method of claim 15, further comprising changing, in real-time one or 

2 more of the selected redirecting edge routers to a directing edge router. 

1 19 The method of claim 15, wherein injecting said BGP routing instruction into 

2 said ISP is done by providing said BGP routing instruction to a route-reflector for 

3 disseminating said BGP routing instruction to other route reflectors within said ISP network. 
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